Draft plan requires agency use of key-recovery technology

While the debate on encryption policy continues to play out this month on Capitol Hill a technical advisory committee has yet to decide whether to force agencies to include the controversial key recovery in a standard it is developing for governmentwide use.

The committee which is developing a standard for agency use of public-key cryptography plans to recommend to the Commerce Department that agencies apply the new standard to all products they use for general encryption of unclassified data according to a preliminary copy of a draft Federal Information Processing Standard (FIPS) for key-recovery systems which Federal Computer Week obtained last week.

The standard must be applied by agencies when computer files are encrypted for secure storage or transmission and when e-mail is encrypted before transmission according to the draft. Agencies also must apply the standard when electronic voice communications are encrypted and when keys are backed up for emergency recovery such as when a system administrator who may have the only key dies suddenly.

Public-key cryptography involves the use of two keys: one that is available to everyone and another that is kept secret by the user. The key-recovery mechanism which the Clinton administration and law enforcement agencies support is aimed broadly at allowing users whose private keys have been lost or stolen to recover them.

Santosh Chokhani president of Cygnacom Solutions and a member of the advisory committee said that although the committee has made substantial progress on the framework some security issues have yet to be resolved. For example the group has not determined if the encryption mechanism on federal users' workstations should force users to employ key recovery.

"We're trying to be inclusive and accommodating for various key-recovery schemes " Chokhani said. "The group is making good progress on some of the technical issues. There is no ideal solution for this thing."

The Clinton administration's key-recovery policy would allow the FBI and other agencies to obtain - through a court order - access to a user's private key to unscramble encrypted data. Privacy advocates contend that the United States should have no rules requiring the use of key-recovery software. After public backlash to a 1994 proposal to require all encryption users to register their keys with the government the Clinton administration recently has supported a plan to encourage voluntary domestic use of key-recovery systems.

Last week however FBI director Louis Freeh told a Senate subcommittee that encryption products sold domestically should be required to employ a key-recovery mechanism. The nation's law enforcement community led by the FBI has insisted that their pursuit of a variety of criminals would be hampered by the widespread use of encryption with no key-recovery mechanism to allow law enforcement officials to unscramble encrypted data.

David Sobel legal counsel for the Electronic Privacy Information Center said the draft standard indicates that proponents of key recovery such as law enforcement agencies and the Clinton administration are trying to promote the widespread use of key-recovery products through federal agency purchases.

"They continue to abuse the FIPS process to influence what is happening in the private sector " Sobel said.

Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.